Ransomware IOCs and Trends in Late 2015 and Early 2016

Ransomware continues to evolve and there are many articles online that detail its continual changes. For that reason I won’t be rehashing all the evolutionary changes of ransomware. Instead this post seeks to point out some of the key trends in 2015 and 2016, as well as give analysts extra resources that will hopefully help them find and properly identify the more prevalent variants. To begin ill start with a very brief rundown of recent trends.

One notable event in 2015 was the discovery of the ransomware known as Linux.Encoder.1, which is considered the first ransomware to target Linux based systems. Furthermore, while the first OS X ransomware was discovered in 2014 (FileCoder), there was a new OS X ransomware in 2016 called KeRanger. It might be too early to call this a trend but obviously threat actors are looking to expand their reach.

The next noticeable change was a shift in who threat actors are targeting. For instance, SamSam (also known as Samas) was first introduced in February 2016 and made headlines for targeting enterprise networks, mainly hospitals. Instead of employing user focused attack vectors like exploit kits and phishing, which cast a wide net, SamSam uses a targeted approach. Specifically attackers behind SamSam used open source tools like JexBoss to identify vulnerable JBoss application servers. Once they had a foothold in the network they moved laterally to compromise machines and hold them ransom. A full write up on SamSam can be found here.

Below is a link for a comprehensive list of ransomware. This list is helpful for SOC analysts and the public as it contains plenty of IOCs.